-
8.0.4.3 Addendum – FolderWatch/HoneyPot Definitions
WARNING: These settings are designed and should be used for advanced users only or as directed by Foolish IT support staff. Misuse of these setting can severely impact the performance and ability of both FolderWatch and the HoneyPot Detection Protection features in CryptoPrevent. Use these options at your own risk and in most cases here less is more and being specific is safer!
WARNING: These settings are designed and should be used for advanced users only or as directed by Foolish IT support staff. Misuse of these setting can severely impact the performance and ability of both FolderWatch and the HoneyPot Detection Protection features in CryptoPrevent. Use these options at your own risk and in most cases here less is more and being specific is safer!
- Whitelist Process from being Killed
- One entry per line
- This option applies to the Kill Apps Now button on the Apply Protection tab, the options available in the right click menu of the system tray, and to the ability of FolderWatch service killing tasks during a HoneyPot Detection activation
- Only the executable name with extension is needed and is not case sensitive (ex. c:\program files\InstalledProgram\InstalledProgram.exe would only need to have a line entry of “installedprogram.exe”)
- Notes:
- It is not recommended to add any browser process name as these are the most common apps you want to be killed easily and most modern browsers save the sessions fairly well
- Common programs you may want to add would be a word processor or other office productivity application or database applications, however since these can be used as points of attacks you may want to be very conservative in adding these too, increasing autosave features to shorter durations may be a better route
- FolderWatch Whitelist Path
- One entry per line
- This option allows entire folders or specific files or files in locations to be ignored by FolderWatch
- This can be useful if a file requires a file lock and will not share access with FolderWatch in folders monitored by FolderWatch
- Can use:
- wildcard (*) for path variables
- d7x variables (more information about variables here)
- line entry ending with a trailing backslash so the entire folder is ignored
- ex:
- <ad>\programV18.*\ would have FolderWatch ignore the entire folder for a path where the version number changes in application data (roaming for vista+)
- c:\installed program\programfilename.* would have FolderWatch ignore filenames matching with any extension
- c:\installed program\programfileV*.exe would have FolderWatch ignore filenames with variable version numbers with matching extension
- HoneyPot Whitelist Pattern
- One entry per line
- This can be used to allow files that might match a built-in blacklisted pattern, helpful when filenames in folders monitored by FolderWatch might be similar or the same as some ransomware variants
- Note each check for a whitelisted pattern adds time to the ability for checking against blacklisted patterns, meaning that ransomware could remain active and encrypt additional files prior to FolderWatch being able to detect and kill any active ransomware, it may be better to ignore specific files or types that match patterns using the FolderWatch Whitelist Path options
- Can use:
- wildcard (*) for path variables
- d7x variables (more information about variables here)
- ex:
- If a false positive is triggered with the *.crypto pattern, *.crypto can be added to a line to ignore future matches
- <ad>\programV18.*\ would have HoneyPot detection ignore the entire folder for a path where the version number changes in application data (roaming for vista+)
- c:\installed program\programfilename.* would have FolderWatch ignore filenames matching with any extension
- HoneyPot Blacklist Pattern
- One entry per line
- This can be used to create your own encryption pattern matching options
- Can use:
- wildcard (*) for path variables
- d7x variables (more information about variables here)
- ex:
- <ad>\programV18.*\ would have HoneyPot Detection triggered if the folder has files created or changed where the version number changes in the folder in application data (roaming for vista+)
- c:\installed program\programfilename.* would have HoneyPot Detection triggered if filenames matching with any extension in the specific folder
- Custom HoneyPot Files
- One entry per line
- Allows you to:
- create your own honeypot files named with or without default extensions
- Syntax per line:
- filename|filetype|extensionsdisabled
- the pipe (|) character must separate the three definitions per custom honeypot file created and all items need to be defined as mentioned or errors may occur or produce unexpected results
- filename=the custom file name you would like to be used (include extension if you are disabling the default extensions)
- filetype=Normal, Hidden, or System which will create the custom file as indicated
- extensionsdisabled=0 or 1, where 0 uses the default honeypot file extensions and removes any extension in the filename and 1 will not use the default honeypot file extensions and use the extension if defined in the filename above
- filename|filetype|extensionsdisabled
- Syntax per line:
- enable or disable the default honeypot files creation
- to disable the default honeypot files add a single line entry of:
- nodefault
- disabling default honeypot files and not adding custom files of your own will cause honeypot detection to operate on file/folder name pattern matching alone
- to leave the default files created just do not add that line and the default files with various filenames will be created as system files as is the standard as well as any custom files you have defined
- to disable the default honeypot files add a single line entry of:
- create your own honeypot files named with or without default extensions